Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Umesh
Contributor

LACP configuration in fortigate along with cisco switch

Dear all,

 

I have some queries related to LACP configuration in FortiGate along with the cisco switch but before that I want to show the topology what I want to do.

 

Pls comment if this thing is possible or not.

setup.JPG

lacp.JPG

pilicy.JPG

policy_traffic.JPG

 

at the switch, I have configured G0/0 and G0/1 LACP and trunking as well.

It is working fine but when I do down the G0/0 interface at switch then it is not working.

here is the configuration of sw1 switch-

int range g0/0 -1

switch port tunk en dot1q

switch port mode trunk

channel-group 1 mode active

no shut

.....................................................

Here is the full configuration road map at FortiGate FW and cisco switch.

1. Created aggrate interface port3 & port 4

then assigned these port to subinterface

2. created policy as per the sub interface, in the policy you can see that traffic is moving from lan to wan zone.

3. Created default route towards wan.

4. created LACP configuration at the switch.

5. tested 

 

But it is not successful, Could you pls help me as I am a beginner, your support will be more helpful for me.

 

Thank you all.

Umesh

8 REPLIES 8
Toshi_Esumi
Esteemed Contributor III

Unless SW1 and SW2 are stacked, means virtually one switch, it's not going to work. If they are individual, you have to have 2 x 2 port on SW1 and one set going to FG1(port3/4) and another goes to FG2(port3/4). Then you need to use like port6/7 on both FGTs to connect to SW2.

I recommend you tack SW1 and SW2 together. Then pair (SW1-Gi0/0 & SW2-Gi0/1) and (SW1-Gi0/1 & SW2-Gi0/0) in LACP.

 

Toshi

Umesh

Hi Toshi,

 

Let's suppose when primary FortiGate gets down then connectivity also gets down, and traffic is not moving through the secondary firewall. everything is correct configured at secondary fw with HA active and passive mode configuration.

when I check at switch then I get error - Operational Mode: down (suspended member of bundle Po1).

Switch#show interfaces status

Port Name Status Vlan Duplex Speed Type
Gi0/0 suspended trunk a-full auto RJ45

 

please see the diagram as well - 

Umesh_0-1656923626995.pngUmesh_1-1656923659136.png

 

Please do you have any solutions for it

 

Toshi_Esumi
Esteemed Contributor III

If those switches are not stacked, those switches are independently setting up LACP with both a-p HA FGTs. In normal situation, FG2 is not sending/receiving any packets other than over HA connection with FG1. So your sw1's port-channel(if Cisco) works always 1Gig, not 2Gig.  You have to have two GigE connections go in both FG1 and FT2 to do regular LACP. Then when FG1 goes down the SW1 can failover the 2Gig to FG2.

HA doesn't fail-over L2 protocols like LACP. It might re-establish a new LACP neighboring with FG2 when FG1 goes down in your set up. But your test result is showing that's not the case. So you proved it's not a proper design.

 

Toshi

Moony
New Contributor

Hello, I have the same setup as above (HA Failover FortiGate 201F which connects to two stacked Catalyst 9300x24y) and ran into the same issue. Did you ever find a working solution? 

ndawedua
New Contributor

Hello, To resolve this issue I recommend creating two different port-channels.

Ndawendua Neto
Ndawendua Neto
KhalidBouchlaghem

Hello,

I have the same archetecture, 2 FG 100F on HA and 2 stacked Catalyst 9500, with PO13 for the ports connected to 2 ports on FG (X1, X1), and all port are Trunk mode. the problem is the interface on the master shown as down even if the port is upand the LACP is well configured:

interface problem.jpg

Umesh
Contributor

Same problem not resolved yet.

KhalidBouchlaghem
New Contributor

Did you tried to put each FGT in a separate channel group (ports connected to the same FGT should be the same channel group):Screenshot 2024-02-14 084014.jpg

Labels
Top Kudoed Authors